Hypertext Transfer Protocol (HTTP) is an application-level protocol for distributed, collaborative, hypermedia information systems. It is a generic, stateless protocol which can be used for many purposes beyond hypertext. A feature of HTTP is the typing and negotiation of data representation, which allows systems to be built independently of the data being transferred. When a client and a server communicate using the stateless HTTP protocol, the communication is typically held within the context of a session which keeps the state between the client and the server. In order to keep a session active, the client is required to periodically transmit client requests to the server before a session timer expires. The server determines whether a session is active by comparing the time of when the last client request was received from the client against the current time. If the difference between the current time and the time when the last client request was received is greater than (or equal to) a user session timeout period, the server destroys the session, rendering the session inactive. A session timeout is important because it allows the server to allocate the otherwise unused resources to other clients. Session timeout is also important because it prevents clients who are inactive from being vulnerable to unauthorized users.
Some clients are equipped with an automatic refresh timer. These clients will continue to send client request s to the server automatically at a set interval to keep the client up-to-date with the server even if there is no user activity. If the automatic refresh timer interval is shorter than the session time out interval at the server, the client will never time out even if there is no user activity at all. Thus, when a client is equipped with an automatic refresh timer with an interval that is shorter than the session timeout interval, the purpose of a session timeout is defeated, and the client is left in a vulnerable state.